wafris 2.0.6 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/wafris/proxy_filter.rb +31 -0
- data/lib/wafris/version.rb +1 -1
- data/lib/wafris.rb +26 -12
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e1efce2cd1d45e54016f741cbe2f90b99eaa1b9c13135775345a8c6c0799f9e8
|
|
4
|
+
data.tar.gz: 6b1e761814eaa0830e687b14a67862fd78b60220bc9cf79f5d7b52d0ff48b90c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c4ffd902c97eac5e6f93944da1b4cb8ef93a7504e4d93e0289ef117726eb8f13e8c9691001c2f7c1501d5c916ba1d40cb02aff1a055d90a07a5c56e37f19fce3
|
|
7
|
+
data.tar.gz: 56112f8a5bb85fca29a19e9ce3cd0500beb33f573caf415cd5c9f87ef1e2daee081b3da4508ede63712bed7404ff5ea1359471af90f3901164eac51bfa3ad04d
|
data/lib/wafris/proxy_filter.rb
CHANGED
|
@@ -1,3 +1,25 @@
|
|
|
1
|
+
# This file includes code from the https://github.com/rack/rack project,
|
|
2
|
+
# which is licensed under the MIT License.
|
|
3
|
+
# Copyright (C) 2007-2021 Leah Neukirchen <http://leahneukirchen.org/infopage.html>
|
|
4
|
+
#
|
|
5
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
# of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
# in the Software without restriction, including without limitation the rights
|
|
8
|
+
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
# copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
# furnished to do so, subject to the following conditions:
|
|
11
|
+
#
|
|
12
|
+
# The above copyright notice and this permission notice shall be included in
|
|
13
|
+
# all copies or substantial portions of the Software.
|
|
14
|
+
#
|
|
15
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
21
|
+
# THE SOFTWARE.
|
|
22
|
+
|
|
1
23
|
# frozen_string_literal: true
|
|
2
24
|
|
|
3
25
|
module Wafris
|
|
@@ -15,6 +37,15 @@ module Wafris
|
|
|
15
37
|
/\A172\.(1[6-9]|2[0-9]|3[01])#{valid_ipv4_octet}{2}\z/, # private IPv4 range 172.16.0.0 .. 172.31.255.255
|
|
16
38
|
/\A192\.168#{valid_ipv4_octet}{2}\z/, # private IPv4 range 192.168.x.x
|
|
17
39
|
/\Alocalhost\z|\Aunix(\z|:)/i, # localhost hostname, and unix domain sockets
|
|
40
|
+
# Cloudflare IPs: https://www.cloudflare.com/en-au/ips/
|
|
41
|
+
/\A103\.21\.24[4-7]#{valid_ipv4_octet}\z/, # 103.21.244.0/22
|
|
42
|
+
/\A103\.22\.20[0-3]#{valid_ipv4_octet}\z/, # 103.22.200.0/22
|
|
43
|
+
/\A103\.31\.[4-7]#{valid_ipv4_octet}\z/, # 103.31.4.0/22
|
|
44
|
+
/\A104\.(1[6-9]|2[0-3])#{valid_ipv4_octet}{2}\z/, # 104.16.0.0/13
|
|
45
|
+
/\A104\.2[4-7]#{valid_ipv4_octet}{2}\z/, # 104.24.0.0/14
|
|
46
|
+
/\A108\.162\.192#{valid_ipv4_octet}\z/, # 108.162.192.0/18
|
|
47
|
+
/\A162\.15[8-9]#{valid_ipv4_octet}{2}\z/, # 162.158.0.0/15
|
|
48
|
+
/\A172\.(6[4-9]|7[0-1])#{valid_ipv4_octet}{2}\z/, # 172.64.0.0/13
|
|
18
49
|
*user_defined_proxies
|
|
19
50
|
)
|
|
20
51
|
|
data/lib/wafris/version.rb
CHANGED
data/lib/wafris.rb
CHANGED
|
@@ -19,6 +19,19 @@ module Wafris
|
|
|
19
19
|
class << self
|
|
20
20
|
attr_accessor :configuration
|
|
21
21
|
|
|
22
|
+
ALLOWED_IP = "ai"
|
|
23
|
+
ALLOWED_CIDR = "ac"
|
|
24
|
+
BLOCKED_IP = "bi"
|
|
25
|
+
BLOCKED_CIDR = "bc"
|
|
26
|
+
BLOCKED_REPUTATION = "brep"
|
|
27
|
+
BLOCKED_COUNTRY = "bctry"
|
|
28
|
+
BLOCKED_USER_AGENT = "bu"
|
|
29
|
+
BLOCKED_PATH = "bp"
|
|
30
|
+
BLOCKED_PARAM = "bparam"
|
|
31
|
+
BLOCKED_HOST = "bh"
|
|
32
|
+
BLOCKED_METHOD = "bm"
|
|
33
|
+
BLOCKED_RATE_LIMIT = "brl"
|
|
34
|
+
|
|
22
35
|
def configure
|
|
23
36
|
self.configuration ||= Wafris::Configuration.new
|
|
24
37
|
yield(configuration)
|
|
@@ -434,34 +447,35 @@ module Wafris
|
|
|
434
447
|
SQLite3::Database.new "#{@configuration.db_file_path}/#{data_subscriptions_db_filename}"
|
|
435
448
|
|
|
436
449
|
ip = request.ip
|
|
437
|
-
|
|
438
|
-
return queue_upsync_request(request, "Allowed",
|
|
439
|
-
return queue_upsync_request(request, "
|
|
440
|
-
return queue_upsync_request(request, "Blocked",
|
|
450
|
+
|
|
451
|
+
return queue_upsync_request(request, "Allowed", ALLOWED_IP, ip) if exact_match(ip, "allowed_ips", rules_db)
|
|
452
|
+
return queue_upsync_request(request, "Allowed", ALLOWED_CIDR, ip) if ip_in_cidr_range(ip, "allowed_cidr_ranges", rules_db)
|
|
453
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_IP, ip) if exact_match(ip, "blocked_ips", rules_db)
|
|
454
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_CIDR, ip) if ip_in_cidr_range(ip, "blocked_cidr_ranges", rules_db)
|
|
441
455
|
|
|
442
456
|
country_code = get_country_code(ip, data_subscriptions_db)
|
|
443
|
-
return queue_upsync_request(request, "Blocked",
|
|
457
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_COUNTRY, "G_#{country_code}") if exact_match(country_code, "blocked_country_codes", rules_db)
|
|
444
458
|
|
|
445
459
|
# Blocked Reputation IP Ranges
|
|
446
|
-
return queue_upsync_request(request, "Blocked",
|
|
460
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_REPUTATION, "R") if ip_in_cidr_range(ip, "reputation_ip_ranges", data_subscriptions_db)
|
|
447
461
|
|
|
448
462
|
user_agent_match = substring_match(request.user_agent, "blocked_user_agents", rules_db)
|
|
449
|
-
return queue_upsync_request(request, "Blocked",
|
|
463
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_USER_AGENT, user_agent_match) if user_agent_match
|
|
450
464
|
|
|
451
465
|
path_match = substring_match(request.path, "blocked_paths", rules_db)
|
|
452
|
-
return queue_upsync_request(request, "Blocked",
|
|
466
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_PATH, path_match) if path_match
|
|
453
467
|
|
|
454
468
|
parameters_match = substring_match(request.parameters, "blocked_parameters", rules_db)
|
|
455
|
-
return queue_upsync_request(request, "Blocked",
|
|
469
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_PARAM, parameters_match) if parameters_match
|
|
456
470
|
|
|
457
|
-
return queue_upsync_request(request, "Blocked",
|
|
471
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_HOST, request.host) if exact_match(request.host, "blocked_hosts", rules_db)
|
|
458
472
|
|
|
459
|
-
return queue_upsync_request(request, "Blocked",
|
|
473
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_METHOD, request.method) if exact_match(request.method, "blocked_methods", rules_db)
|
|
460
474
|
|
|
461
475
|
# Rate Limiting
|
|
462
476
|
rule_id = check_rate_limit(ip, request.path, request.method, rules_db)
|
|
463
477
|
if rule_id
|
|
464
|
-
return queue_upsync_request(request, "Blocked",
|
|
478
|
+
return queue_upsync_request(request, "Blocked", BLOCKED_RATE_LIMIT, rule_id)
|
|
465
479
|
end
|
|
466
480
|
end
|
|
467
481
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: wafris
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Michael Buckbee
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2024-
|
|
12
|
+
date: 2024-11-07 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rack
|